Index: www/apache24/Makefile =================================================================== --- www/apache24/Makefile +++ www/apache24/Makefile @@ -78,6 +78,8 @@ LDAP_CONFIGURE_ON= --enable-ldap=shared +BROTLI_CONFIGURE_ON= --with-brotli=${LOCALBASE} +BROTLI_LIB_DEPENDS= libbrotlicommon.so:archivers/brotli HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} HTTP2_LIB_DEPENDS= libnghttp2.so:www/libnghttp2 LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit @@ -85,7 +87,6 @@ LUA_USES= lua PROXY_HTTP2_CONFIGURE_ON= --with-nghttp2=${LOCALBASE} PROXY_HTTP2_LIB_DEPENDS= libnghttp2.so:www/libnghttp2 - SOCACHE_DC_CONFIGURE_ON= --with-distcache=${LOCALBASE} SOCACHE_DC_LIB_DEPENDS= libdistcache.so:security/distcache @@ -98,7 +99,6 @@ SSL_USES= ssl .include - ETC_SUBDIRS= Includes envvars.d extra modules.d APR_CONFIG?= ${LOCALBASE}/bin/apr-1-config @@ -150,6 +150,11 @@ .include .include "${APACHEDIR}/Makefile.modules" +.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1100085 &&\ + ${PORT_OPTIONS:MHTTP2} && ${OPENSSLBASE} == /usr +SUB_FILES+= pkg-message +.endif + post-extract: # remove possible leftover .svn directories in the sources @${FIND} ${WRKSRC} -type d -name .svn -print | ${XARGS} ${RM} -r Index: www/apache24/Makefile.options =================================================================== --- www/apache24/Makefile.options +++ www/apache24/Makefile.options @@ -11,11 +11,10 @@ # mod_proxy_html and xml2enc depending on libxml2 PROXY_ENABLED_MODULES= \ - PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_EXPRESS PROXY_FCGI \ + PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_EXPRESS PROXY_FCGI PROXY_HTTP2 \ PROXY_FDPASS PROXY_FTP PROXY_HCHECK PROXY_HTML PROXY_HTTP PROXY_SCGI PROXY_WSTUNNEL -PROXY_DISABLED_MODULES= \ - PROXY_HTTP2 +PROXY_DISABLED_MODULES= # SESSION_CRYPTO need APR build with crypto (EVP support in APR) SESSION_ENABLED_MODULES= \ @@ -40,7 +39,7 @@ DATA DAV DAV_FS DAV_LOCK DBD DEFLATE DIALUP DIR DUMPIO \ ENV EXPIRES EXT_FILTER \ FILE_CACHE FILTER \ - HEADERS HEARTBEAT HEARTMONITOR \ + HEADERS HEARTBEAT HEARTMONITOR HTTP2 \ IMAGEMAP INCLUDE INFO \ LBMETHOD_BYBUSYNESS LBMETHOD_BYREQUESTS LBMETHOD_BYTRAFFIC \ LBMETHOD_HEARTBEAT LOGIO LOG_DEBUG LOG_FORENSIC \ @@ -55,9 +54,8 @@ WATCHDOG XML2ENC MOST_DISABLED_MODULES:= \ - AUTHNZ_LDAP IDENT LDAP LUA SOCACHE_DC SUEXEC HTTP2 + AUTHNZ_LDAP BROTLI IDENT LDAP LUA SOCACHE_DC SUEXEC -# XXX PROXY and SESSION are modules but also used to # enable/disable additional PROXY/SESSION modules META_MODULES= PROXY SESSION Index: www/apache24/Makefile.options.desc =================================================================== --- www/apache24/Makefile.options.desc +++ www/apache24/Makefile.options.desc @@ -63,6 +63,7 @@ AUTH_FORM_DESC= Form authentication AUTOINDEX_DESC= Directory listing +BROTLI_DESC= Brotli compression support BUCKETEER_DESC= (dev) buckets manipulation filter BUFFER_DESC= Filter Buffering @@ -99,7 +100,7 @@ HEADERS_DESC= HTTP header control HEARTBEAT_DESC= Generates Heartbeats HEARTMONITOR_DESC= Collects Heartbeats -HTTP2_DESC= HTTP/2 (RFC 7540) support (experimental) +HTTP2_DESC= HTTP/2 (RFC 7540) support IDENT_DESC= RFC 1413 ident lookups IMAGEMAP_DESC= Server-side imagemaps Index: www/apache24/files/patch-modules_ssl_mod__ssl.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_mod__ssl.c @@ -0,0 +1,34 @@ +--- modules/ssl/mod_ssl.c.orig 2017-04-03 11:39:20 UTC ++++ modules/ssl/mod_ssl.c +@@ -337,12 +337,12 @@ static apr_status_t ssl_cleanup_pre_conf + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_cleanup(); + #endif +-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL ++#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP) + SSL_COMP_free_compression_methods(); + #endif + + /* Usually needed per thread, but this parent process is single-threaded */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #if OPENSSL_VERSION_NUMBER >= 0x1000000fL + ERR_remove_thread_state(NULL); + #else +@@ -383,14 +383,14 @@ static int ssl_hook_pre_config(apr_pool_ + /* Some OpenSSL internals are allocated per-thread, make sure they + * are associated to the/our same thread-id until cleaned up. + */ +-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L ++#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + ssl_util_thread_id_setup(pconf); + #endif + + /* We must register the library in full, to ensure our configuration + * code can successfully test the SSL environment. + */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_malloc_init(); + #else + OPENSSL_malloc_init(); Index: www/apache24/files/patch-modules_ssl_ssl__engine__init.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__engine__init.c @@ -0,0 +1,47 @@ +--- modules/ssl/ssl_engine_init.c.orig 2017-04-03 11:39:20 UTC ++++ modules/ssl/ssl_engine_init.c +@@ -47,7 +47,7 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, + #define KEYTYPES "RSA or DSA" + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* OpenSSL Pre-1.1.0 compatibility */ + /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ + static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +@@ -257,7 +257,7 @@ apr_status_t ssl_init_Module(apr_pool_t + #endif + } + +-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L ++#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) + ssl_util_thread_setup(p); + #endif + +@@ -380,7 +380,7 @@ apr_status_t ssl_init_Module(apr_pool_t + modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ + + init_dh_params(); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + init_bio_methods(); + #endif + +@@ -1301,7 +1301,7 @@ static apr_status_t ssl_init_server_cert + * or configure NIST P-256 (required to enable ECDHE for earlier versions) + * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList + */ +-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) ++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + else { + #if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); +@@ -2011,7 +2011,7 @@ apr_status_t ssl_init_ModuleKill(void *d + + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + free_bio_methods(); + #endif + free_dh_params(); Index: www/apache24/files/patch-modules_ssl_ssl__engine__io.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__engine__io.c @@ -0,0 +1,38 @@ +--- modules/ssl/ssl_engine_io.c.orig 2017-05-30 12:26:05 UTC ++++ modules/ssl/ssl_engine_io.c +@@ -164,7 +164,7 @@ static int bio_filter_create(BIO *bio) + { + BIO_set_shutdown(bio, 1); + BIO_set_init(bio, 1); +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* No setter method for OpenSSL 1.1.0 available, + * but I can't find any functional use of the + * "num" field there either. +@@ -549,7 +549,7 @@ static long bio_filter_in_ctrl(BIO *bio, + return -1; + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + + static BIO_METHOD bio_filter_out_method = { + BIO_TYPE_MEM, +@@ -2024,7 +2024,7 @@ static void ssl_io_input_add_filter(ssl_ + + filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); + #else + filter_ctx->pbioRead = BIO_new(bio_filter_in_method); +@@ -2059,7 +2059,7 @@ void ssl_io_filter_init(conn_rec *c, req + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, r, c); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); + #else + filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); Index: www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__engine__kernel.c @@ -0,0 +1,11 @@ +--- modules/ssl/ssl_engine_kernel.c.orig 2017-05-02 11:01:17 UTC ++++ modules/ssl/ssl_engine_kernel.c +@@ -1733,7 +1733,7 @@ static void modssl_proxy_info_log(conn_r + * so we need to increment here to prevent them from + * being freed. + */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #define modssl_set_cert_info(info, cert, pkey) \ + *cert = info->x509; \ + CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ Index: www/apache24/files/patch-modules_ssl_ssl__engine__vars.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__engine__vars.c @@ -0,0 +1,11 @@ +--- modules/ssl/ssl_engine_vars.c.orig 2017-03-20 12:01:16 UTC ++++ modules/ssl/ssl_engine_vars.c +@@ -529,7 +529,7 @@ static char *ssl_var_lookup_ssl_cert(apr + resdup = FALSE; + } + else if (strcEQ(var, "A_SIG")) { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); + #else + const ASN1_OBJECT *paobj; Index: www/apache24/files/patch-modules_ssl_ssl__private.h =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__private.h @@ -0,0 +1,55 @@ +--- modules/ssl/ssl_private.h.orig 2017-04-03 11:39:20 UTC ++++ modules/ssl/ssl_private.h +@@ -123,6 +123,16 @@ + #define MODSSL_SSL_METHOD_CONST + #endif + ++#if defined(LIBRESSL_VERSION_NUMBER) ++/* Missing from LibreSSL */ ++#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 ++#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 ++#define SSL_CTX_set_min_proto_version(ctx, version) \ ++ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) ++#define SSL_CTX_set_max_proto_version(ctx, version) \ ++ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) ++#endif ++ + #if defined(OPENSSL_FIPS) + #define HAVE_FIPS + #endif +@@ -136,7 +146,7 @@ + #endif + + /* session id constness */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #define IDCONST + #else + #define IDCONST const +@@ -199,7 +209,7 @@ + + #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 + #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 + #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 +@@ -219,7 +229,7 @@ void init_bio_methods(void); + void free_bio_methods(void); + #endif + +-#if OPENSSL_VERSION_NUMBER < 0x10002000L ++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get0_store(x) (x->ctx) + #endif + +@@ -934,7 +944,7 @@ char *ssl_util_readfilter(server_ + const char * const *); + BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); + #if APR_HAS_THREADS +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + void ssl_util_thread_setup(apr_pool_t *); + #endif + void ssl_util_thread_id_setup(apr_pool_t *); Index: www/apache24/files/patch-modules_ssl_ssl__util.c =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__util.c @@ -0,0 +1,11 @@ +--- modules/ssl/ssl_util.c.orig 2017-03-24 13:31:03 UTC ++++ modules/ssl/ssl_util.c +@@ -247,7 +247,7 @@ void ssl_asn1_table_unset(apr_hash_t *ta + } + + #if APR_HAS_THREADS +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* + * To ensure thread-safetyness in OpenSSL - work in progress + */ Index: www/apache24/files/patch-modules_ssl_ssl__util__ssl.h =================================================================== --- /dev/null +++ www/apache24/files/patch-modules_ssl_ssl__util__ssl.h @@ -0,0 +1,11 @@ +--- modules/ssl/ssl_util_ssl.h.orig 2017-03-20 12:01:16 UTC ++++ modules/ssl/ssl_util_ssl.h +@@ -41,7 +41,7 @@ + #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER + #define MODSSL_LIBRARY_NAME "OpenSSL" + #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) + #else + #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) Index: www/apache24/files/patch-support_ab.c =================================================================== --- /dev/null +++ www/apache24/files/patch-support_ab.c @@ -0,0 +1,11 @@ +--- support/ab.c.orig 2017-05-28 21:15:41 UTC ++++ support/ab.c +@@ -2514,7 +2514,7 @@ int main(int argc, const char * const ar + exit(1); + } + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_max_proto_version(ssl_ctx, max_prot); + SSL_CTX_set_min_proto_version(ssl_ctx, min_prot); + #endif Index: www/apache24/files/pkg-message.in =================================================================== --- /dev/null +++ www/apache24/files/pkg-message.in @@ -0,0 +1,5 @@ +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! mod_http2 on FreeBSD with OpenSSL from base results in a mostly !! +!! functionally unusable module due to lack of "Upgrade" !! +!! capability in OpenSSL 1.0.1. !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Index: www/apache24/pkg-plist =================================================================== --- www/apache24/pkg-plist +++ www/apache24/pkg-plist @@ -109,6 +109,7 @@ %%MOD_AUTHZ_OWNER%%libexec/apache24/mod_authz_owner.so %%MOD_AUTHZ_USER%%libexec/apache24/mod_authz_user.so %%MOD_AUTOINDEX%%libexec/apache24/mod_autoindex.so +%%MOD_BROTLI%%libexec/apache24/mod_brotli.so %%MOD_BUCKETEER%%libexec/apache24/mod_bucketeer.so %%MOD_BUFFER%%libexec/apache24/mod_buffer.so %%MOD_CACHE%%libexec/apache24/mod_cache.so